Please help this NOOB..213.155.31.136/serv/gate.php

Ive studied this entire site looking through the tips and stickies… Ive downloaded CCleaner done the scan as well as other things and still I cant get rid of this Avast Pop up that comes up every 5 minutes saying 213.155.31.136/serv/gate.php was blocked.

Its driving me nuts…any help is greatly appreciated.

I have the CCleaner report but it says its to much to many characters for this post.

Hi there let me see what you have

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Hi usmcscout123,

Did you read this: http://xml.ssdsandbox.net/index.php/2dfe1699bd3fb09b140d5b95d023a275
Malware resides here: hxtp://213.155.31.136/hshhgajjsggsajd/sutra/kzkzhlipgpjvy.jar
Threat: a6a7a760c0e <<< JAVAMesdeh.D malware aka Trojan maljava

A malicious Java file that exploit one or more vulnerabilities, after essexboy’s cleansing routine you should update all the software on that computer after an online scan here: http://secunia.com/vulnerability_scanning/online/?task=load

But from the connections made, we have to conclude you probably have a SpyEye infection,

When a SpyEye bot running on an infected computer starts up, it immediately sends a message to check in with its Command & Control server. This first message contains some basic information about the bot infector and the computer it is running on. Here is an example, with the parameters highlighted.

http://(server)/gate.php?guid=uname!cname!1A2B3C4D&ver=10260&stat=ONLINE&ie=6.0


Quote source: http://blog.fortinet.com/tag/research/ (author of article named “A Guide to SpyEye C&C Messages” by Doug Macdonald February 15, 2011)

polonus

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-08 12:13:47

12:13:47.199 OS Version: Windows 6.0.6002 Service Pack 2
12:13:47.199 Number of processors: 2 586 0xF0D
12:13:47.199 ComputerName: OWNER-PC UserName: Owner
12:13:49.492 Initialize success
12:14:06.730 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
12:14:06.730 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
12:14:06.746 Disk 0 MBR read successfully
12:14:06.746 Disk 0 MBR scan
12:14:06.761 Disk 0 scanning sectors +625139712
12:14:06.777 Disk 0 scanning C:\Windows\system32\drivers
12:14:13.469 Service scanning
12:14:15.794 Disk 0 trace - called modules:
12:14:15.809 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
12:14:15.825 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x88652ac8]
12:14:15.825 3 CLASSPNP.SYS[8c5a28b3] → nt!IofCallDriver → [0x874b0700]
12:14:15.825 5 acpi.sys[8068e6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x866e9028]
12:14:15.825 Scan finished successfully

MBR is good so lets see what OTS reveals

Wont let me post OTS because the text is too large?

upload it to rapidshare or skydrive, whatever… and give the link here :wink:

Could you ensure it is save as ASNI and not Unicode - it should fit then

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif

OTS Report
Not sure which one is right I had two .txt documents

http://rapidshare.com/files/456518419/OTS.Txt

http://rapidshare.com/files/456518707/OTL.Txt

Hi you have some infected USB drives and AVG has left some drivers still running ;D

On completion let me know if the problem is still apparent

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Driver Services - Safe List]
YY -> (MpKsl7bb8f3db) MpKsl7bb8f3db [Kernel | System | Running] -> 
YY -> (Avgtdix) AVG TDI Driver [Kernel | Disabled | Running] -> 
YY -> (Avgrkx86) AVG Anti-Rootkit Driver [File_System | Disabled | Running] -> 
YY -> (AVGIDSShim) AVGIDSShim [Kernel | Disabled | Running] -> 
YY -> (AVGIDSFilter) AVGIDSFilter [Kernel | Disabled | Running] -> 
YY -> (AVGIDSEH) AVGIDSEH [Kernel | Disabled | Running] -> 
YY -> (AVGIDSDriver) AVGIDSDriver [Kernel | Disabled | Running] -> 
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> No name found -> C:\PROGRAM FILES\AVG\AVG10\FIREFOX
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> MRI_DISABLED [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\] > -> HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "AvgUninstallURL" -> C:\Windows\System32\cmd.exe [cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNTc3NzYzMTI2"&"prod=90"&"ver=10.0.1204]
< Run [HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\] > -> HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "B8FD6570F25AE774" -> C:\ProgData\ProgData.exe [C:\ProgData\ProgData.exe]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{0ee002ea-d3c3-11dd-8bbe-001e68eb7212} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command -> 
YN -> \{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL JaiJaeQ.ExE]
YN -> \{4a981831-d2df-11dd-b733-001e68eb7212} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command -> 
YN -> \{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\JAiJaEq.exE]
YN -> \{6f554c96-c747-11de-8838-00238b0fe603} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command -> 
YN -> \{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\LaqEG.EXE]
YN -> \{8a486086-f0b4-11de-be4c-00238b0fe603} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command -> 
YN -> \{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\jaijAeQ.exE]
YN -> \{9aac6711-dd08-11de-aac1-00238b0fe603} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command -> 
YN -> \{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\ViUoQU.eXe]
[File - Lop Check]
NY ->  AVG10 -> C:\Users\Owner\AppData\Roaming\AVG10
[Custom Items]
:Files
C:\ProgData
ipconfig /flushdns /c
C:\PROGRAM FILES\AVG
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

All Processes Killed
[Driver Services - Safe List]
Error: No service named MpKsl7bb8f3db was found to stop!
Service\Driver key MpKsl7bb8f3db not found.
File not found.
Error: No service named Avgtdix was found to stop!
Service\Driver key Avgtdix not found.
File not found.
Error: No service named Avgrkx86 was found to stop!
Service\Driver key Avgrkx86 not found.
File not found.
Error: No service named AVGIDSShim was found to stop!
Service\Driver key AVGIDSShim not found.
File not found.
Error: No service named AVGIDSFilter was found to stop!
Service\Driver key AVGIDSFilter not found.
File not found.
Error: No service named AVGIDSEH was found to stop!
Service\Driver key AVGIDSEH not found.
File not found.
Error: No service named AVGIDSDriver was found to stop!
Service\Driver key AVGIDSDriver not found.
File not found.
[Registry - Safe List]
File C:\PROGRAM FILES\AVG\AVG10\FIREFOX not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\MRI_DISABLED\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvgUninstallURL not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B8FD6570F25AE774 deleted successfully.
C:\ProgData\ProgData.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{4a981831-d2df-11dd-b733-001e68eb7212}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{6f554c96-c747-11de-8838-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{8a486086-f0b4-11de-be4c-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9aac6711-dd08-11de-aac1-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command not found.
[File - Lop Check]
C:\Users\Owner\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Owner\AppData\Roaming\AVG10 folder moved successfully.
[Custom Items]
========== FILES ==========
C:\ProgData folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
c:\Users\Owner\Downloads\cmd.bat deleted successfully.
c:\Users\Owner\Downloads\cmd.txt deleted successfully.
C:\PROGRAM FILES\AVG\AVG10\Toolbar folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10\Notification folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10\Icons folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10 folder moved successfully.
C:\PROGRAM FILES\AVG folder moved successfully.
[Empty Temp Folders]

User: All Users

User: Cory

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 634093 bytes
->Temporary Internet Files folder emptied: 49648803 bytes
->Java cache emptied: 8149103 bytes
->FireFox cache emptied: 48404192 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2006311 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 62628978 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 9583937 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 456 bytes

Total Files Cleaned = 173.00 mb

[EMPTYFLASH]

User: All Users

User: Cory

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04082011_134806

Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

How does she look? ;D

To me good - but more to the point how is the system - any more alerts ?

So far so good! I will repost here in this thread if it comes back. You are a god like computer genius! ;D Thanks!

Once you are happy then run OTS and hit the cleanup button ;D